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DETAILED ACTION 

Response to Amendment 

1 . This action is in response to the request for reconsideration filed June 18, 2009. 

2. Claims 1-11 have been amended. Claims 12-16 were added. 

3. Applicant's arguments, with respect to the claims, have been considered and are 
persuasive, however new grounds of rejection are presented below. 

Specification 

4. The disclosure is objected to because of the following informalities: typographical 
errors. The specification recites "destination source IP address" (page 1, line 24; page 4, line 
9). 

Appropriate correction is required. 

Response to Arguments 

5. Applicant's arguments, see pages 2-4, filed June 18, 2009, with respect to the objections 
to the specification have been fully considered and are persuasive. The objections have been 
withdrawn. 

6. Applicant's arguments, see replacement sheets, filed June 18, 2009, with respect to the 
objection to the drawings have been fully considered and are persuasive. The objection has been 
withdrawn. 
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7. Applicant's arguments, see replacement sheets, filed June 18, 2009, with respect to the 
objection to the claims 5, 6, and 1 1 have been fully considered and are persuasive. The 
objections have been withdrawn. 

8. Applicant's arguments, see page 6, filed June 18, 2009, with respect to the rejections of 
claims 4 and 5 under 35 U.S.C. § 1 12, second paragraph have been fully considered and are 
persuasive. The rejections have been withdrawn. 

9. Applicant's arguments, see page 13-14, filed June 18, 2009, with respect to the 
rejection(s) of claim(s) 1 under 35 U.S.C. § 103(a) have been fully considered and are 
persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, 
a new ground(s) of rejection is made in view of newly cited art by Chrysanthakopoulos in view 
of Haviland. 

10. Applicant's arguments with respect to claims 4 and 5 have been considered but are moot 
in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 112 

1 1 . The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of making 
and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode 
contemplated by the inventor of carrying out his invention. 

12. Claims 12 and 13 are rejected under 35 U.S.C. 1 12, first paragraph, as failing to comply 
with the written description requirement. 

The claims contains subject matter which was not described in the specification in such a 
way as to reasonably convey to one skilled in the relevant art that the inventors, at the time the 
application was filed, had possession of the claimed invention. 
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Independent claim 12 recites "determine if a destination IP address included in a received 
data packet corresponds to a gateway IP address of the management port; if the destination IP 
address does not correspond to the gateway IP address of the management port, determine if the 
data packet originated from a management virtual local area network (VLAN). . ." whereupon if 
additional conditions are met, the packet is dropped. Additionally, dependent claim 13 recites "if 
the destination IP address does correspond to the gateway IP address of the management port, 
the control component is configured to pass the data packet." Examiner requests the Applicant 
specify where support for such features can be found and/or how the disclosure can be 
interpreted to provide sufficient support for such features. 

13. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

14. Claims 2-3, 8, and 10 are rejected under 35 U.S.C. 1 12, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. Dependent claims 2-3 and 8 recite "a data packet" and "the 
data packet" while independent claim 1 recites "management data packets." Dependent claim 10 
recites "a data packet" and "the data packet" while independent claim 9 recites "management 
data packets." It is unclear whether the dependent claims are referring to the same packets as 
those "management data packets" recited in the respective independent claims. For the purposes 
of examination, it will be assumed that the "data packets" recited in the dependent claims 
correspond to the "management data packets." 

15. Claims 12 and 14 are rejected under 35 U.S.C. 1 12, second paragraph, as being indefinite 
for failing to particularly point out and distinctly claim the subject matter which applicant 
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regards as the invention. Claim 12 recites "determine if the data packet originated from a 
management virtual local area network" and subsequently "if the destination IP address did not 
originate from the management VLAN". Claim 14 recites "if the destination IP address did 
originate from the management VLAN." For the purposes of examination, the limitations of 
determining if the destination IP address did/did not originate from the management VLAN will 
be interpreted as determining if the data packet did/did not originate from the management 
VLAN. 

16. Claims 12 and 13 are rejected under 35 U.S.C. 1 12, second paragraph, as being indefinite 
for failing to particularly point out and distinctly claim the subject matter which applicant 
regards as the invention. 

17. Independent claim 12 recites "determine if a destination IP address included in a received 
data packet corresponds to a gateway IP address of the management port; if the destination IP 
address does not correspond to the gateway IP address of the management port, determine if the 
data packet originated from a management virtual local area network (VLAN). . ." whereupon if 
additional conditions are met, the packet is dropped. Additionally, dependent claim 13 recites "if 
the destination IP address does correspond to the gateway IP address of the management port, 
the control component is configured to pass the data packet." Both of these limitations appear to 
contradict the disclosure, particularly Fig. 3 (corresponding to page 10, lines 5-15). As such, 
Examiner submits that the particular limitations are rendered unclear and thus indefinite. 

For the purposes of examination, claim 12 will be interpreted as "determine if a 
destination IP address included in a received data packet corresponds to a gateway IP address of 
the management port; if the destination IP address DOES correspond to the gateway IP address 
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of the management port, determine if the data packet originated from a management virtual local 
area network (VLAN). . ." while claim 13 will be interpreted as "wherein if the destination IP 
address DOES NOT correspond to the gateway IP address of the management port, the control 
component is configured to pass the data packet. 

Claim Rejections - 35 USC § 103 

18. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

19. Claims 1, 4-5, 7 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Chrysanthakopoulos et al. (US Patent 7,343,441) (hereinafter Chrysanthakopoulos), in view of 
Haviland (Designing High-Performance Campus Intranets with Multilayer Switching, 1998) 
(previously cited). 

As per claim 1, Chrysanthakopoulos teaches a method comprising: 

identifying, by a network device, a first port of the network device as a management port 
(column 5, lines 26-31, predetermined management port; Fig. 2, item 222c); 

identifying, by the network device, a second port of the network device as a non- 
management port (Fig. 2, items 222a or 222b); and 

filtering, by the network device, management data packets received on the second port 
(column 6, lines 28-29, determining whether received management command; column 6, lines 
54-57, discriminates identity of corresponding receiving port). 
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Chrysanthakopoulos does not explicitly teach the method wherein the first port has a 
gateway address . 

However, Haviland teaches gateway addresses corresponding to ports (page 25, second 
table featuring Device, IP Address, and Gateway Address for the management port of each 
switch). It would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Chrysanthakopoulos to map the first port to a gateway address, as Haviland 
teaches that it is important to keep track of the IP addresses of management interfaces (page 30). 

As per claim 4, Chrysanthakopoulos in view of Haviland teaches the method of claim 1, 
as applied above. Haviland additionally teaches the method, further comprising: 

defining a virtual local area network including the first port and a first subnet (page 1 0, 
column 2, a subnet corresponds to a VLAN, a VLANmay map to one or more switches); and 

allowing access to management functions of the network device only to those hosts 
connected to the first subnet (page 15, column 1, designating a VLAN for management traffic 
whereby policies can be applied with access lists. As subnets and VLANs correspond to one 
another, allowing access to hosts connected to the VLAN is analogous to allowing access to 
hosts connected to the subnet.). 

As per claim 5, Chrysanthakopoulos in view of Haviland teaches the method of claim 4, 
as applied above. Chrysanthakopoulos in view of Haviland additionally teaches the method, 
further comprising: 
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connecting another network device to the second port (Chrysanthakopoulos, Fig. 2, 
devices A, B, or C); 

defining a port of the another network device as part of the virtual local area network 
(Haviland, page 15, column 1, designating a VLANfor management traffic), wherein the port of 
the another network device is assigned a source IP address that corresponds to the gateway 
address of the first port (Haviland, second table, devices ala and dla on the VLAN have 
management ports with the same gateway address) , and wherein management data packets for 
managing the another network device are sent to the source IP address (Chrysanthakopoulos, 
column 5, lines 26-31, in order to manage a device, management commands must be sent to the 
corresponding management port of the device). 

As per claim 7, Chrysanthakopoulos in view of Haviland teaches the method of claim 1, 
as applied above. Haviland additionally teaches the method, further including: providing an 
application specific integrated circuit operable to filter management data packets received on the 
second port (page 3, ASICs handle packet forwarding; page 15, policies are applied with access 
lists such that access to management traffic and management ports on network devices is 
carefully controlled). 

20. Claims 2-3, 8, and 12-16 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Chrysanthakopoulos, in view of Haviland, and further in view of Blewett et al. (US Patent 
7,131,141) (hereinafter Blewett). 
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As per claim 2, Chrysanthakopoulos in view of Haviland teaches the method of claim 1, 
as applied above. Neither reference explicitly teaches the method, wherein the filtering includes: 

determining if a destination IP address for a data packet received on the second port has a 
destination IP address that corresponds to the gateway address of the first port . 

However, Blewett teaches a gateway using a rule table to determine whether to accept or 
drop packets received based upon source/destination port, protocol, and source/destination IP 
addresses (column 10, lines 14-40). It would have been obvious for one of ordinary skill in the 
art at the time of the invention to further modify Chrysanthakopoulos to determine whether the 
destination IP address of a packet received in a second port (non-management port) corresponds 
to the gateway address of a first port (management port), as Blewett teaches utilizing various 
types of packet handling rules to implement a desired security gateway functionality (column 10, 
lines 11-13) (in this case, filtering management commands as taught by Chrysanthakopoulos in 
view of Haviland). 

As per claim 3, Chrysanthakopoulos in view of Haviland and Blewett teaches the method 
of claim 2, as applied above. Chrysanthakopoulos in view of Haviland and Blewett additionally 
teaches the method, wherein the filtering further includes: 

if the destination IP address for the data packet received on the second port corresponds 
to the gateway address of the first port, determining if the data packet utilizes a management 
protocol (Chrysanthakopoulos, column 6, lines 31-34, inspecting the received data to determine 
if received a management command; ); and 
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if the data packet utilizes a management protocol, dropping the data packet 
(Chrysanthakopoulos, column 6, lines 65-66, determining the receiving ports identification; 
column 2, lines 50-54, any management commands received from devices coupled to the 
communication bus but not to the management port -coupled to non-management port — cannot 
be authorized, and are ignored). 

As per claim 8, Chrysanthakopoulos in view of Haviland teaches the method of claim 1, 
as applied above. Chrysanthakopoulos in view of Haviland additionally teaches the method 
further including: 

providing an application specific integrated circuit operable to (Haviland, page 3, ASICs 
handle packet forwarding): 

determine if the data packet utilizes a management protocol (Chrysanthakopoulos, 
column 6, lines 31-34, inspecting the received data to determine if received a management 
command); and 

drop the data packet if it is determined that the data packet has a destination IP address 
that corresponds to the gateway address of the first port, and that the data packet utilizes a 
management protocol (Chrysanthakopoulos, column 6, lines 65-66, determining the receiving 
ports identification; column 2, lines 50-54, any management commands received from devices 
coupled to the communication bus but not to the management port -coupled to non-management 
port— cannot be authorized, and are ignored). 
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Neither reference explicitly teaches the method wherein the ASIC is further operable to: 
determine if a destination IP address for a data packet received on the second port corresponds to 
the gateway address of the first port . 

However, Blewett teaches a gateway using a rule table to determine whether to accept or 
drop packets received based upon source/destination port, protocol, and source/destination IP 
addresses (column 10, lines 14-40). It would have been obvious for one of ordinary skill in the 
art at the time of the invention to further modify Chrysanthakopoulos to determine whether the 
destination IP address of a packet received in a second port (non-management port) corresponds 
to the gateway address of a first port (management port), as Blewett teaches utilizing various 
types of packet handling rules to implement a desired security gateway functionality (column 10, 
lines 11-13) (in this case, filtering management commands as taught by Chrysanthakopoulos in 
view of Haviland). 

As per claim 12, Chrysanthakopoulos teaches a network device comprising: 
a plurality of ports including a management port (column 5, lines 26-31, predetermined 
management port; Fig. 2, item 222c - management port--; Fig. 2, items 222a or 222b - other 
ports-). Chrysanthakopoulos additionally teaches determining whether a management 
command was received (column 6, lines 28-29); such that any management commands received 
from devices coupled to the communication bus but not to the management port -coupled to non- 
management port — cannot be authorized, and are ignored (column 2, lines 50-54); wherein an 
authorized management device can only be a device coupled, either directly or indirectly, to a 
management port of the computer (column 5, lines 50-53). 
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Chrysanthakopoulos does not explicitly teach the device comprising: 
a control component configured to: 

determine if a destination IP address included in a received data packet 
corresponds to a gateway IP address of the management port; 

if the destination IP address does correspond to the gateway IP address of the 
management port, determine if the data packet originated from a management virtual 
local area network (VLAN), wherein the management VLAN includes the management 
port; 

if the destination IP address did not originate from the management VLAN, 
determine if the data packet uses a management protocol; and 

if the data packet uses a management protocol, drop the packet . 
However, Haviland teaches ASICs (a control component) which handle packet 
forwarding (page 3), wherein management ports have corresponding gateway IP addresses (page 
25, second table), and wherein VLANs are designated for management traffic (page 15, column 
1). 

Thus, it would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Chrysanthakopoulos in order to define such a "coupling" via a management 
VLAN, as Haviland teaches that doing so allows access to management traffic and management 
ports to be carefully controlled (page 15). Thus, Chrysanthakopoulos in view of Haviland 
teaches a control component configured to: determine if the data packet originated from a 
management virtual local area network (VLAN), wherein the management VLAN includes the 
management port; if the data packet did not originate from the management VLAN, determine if 
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the data packet uses a management protocol; and if the data packet uses a management 
protocol, drop the packet. 

Neither reference explicitly teaches the invention whereby prior to determining if the data 
packet originated from a management VLAN, determine if a destination IP address included in a 
received data packet corresponds to a gateway IP address of the management port . 

However, Blewett teaches a gateway using a rule table to determine whether to accept or 
drop packets received based upon source/destination port, protocol, and source/destination IP 
addresses (column 10, lines 14-40). It would have been obvious for one of ordinary skill in the 
art at the time of the invention to further modify Chrysanthakopoulos to determine whether the 
destination IP address of a packet received in a second port (non-management port) corresponds 
to the gateway address of a first port (management port) , as Blewett teaches utilizing various 
types of packet handling rules to implement a desired security gateway functionality (column 10, 
lines 11-13) (in this case, filtering management commands as taught by Chrysanthakopoulos in 
view of Haviland). 

As per claim 13, Chrysanthakopoulos in view of Haviland and Blewett teaches the 
network device of claim 12, as applied above. Chrysanthakopoulos in view of Haviland and 
Blewett additionally teaches the network device wherein if the destination IP address does not 
correspond to the gateway IP address of the management port, the control component is 
configured to pass the data packet (column 2, lines 62-64, column 8, lines 28-35, normal data 
traffic may be passed). 
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As per claim 14, Chrysanthakopoulos in view of Haviland and Blewett teaches the 
network device of claim 12, as applied above. Chrysanthakopoulos in view of Haviland and 
Blewett additionally teaches the network device wherein if the data packet did originate from the 
management VLAN, the control component is configured to pass the data packet (Analogously, 
Chrysanthakopoulos in view of Haviland teaches a device constitutes an authorized device if it is 
coupled to the management VLAN, such that the management command is executed. 
(Chrysanthakopoulos, column 7, lines 7-10)). 

As per claim 15, Chrysanthakopoulos in view of Haviland and Blewett teaches the 
network device of claim 12, as applied above. Chrysanthakopoulos in view of Haviland and 
Blewett additionally teaches the network device wherein if the data packet does not use a 
management protocol, the control component is configured to pass the data packet (column 2, 
lines 62-64, column 8, lines 28-35, normal data traffic may be passed). 

As per claim 16, Chrysanthakopoulos in view of Haviland and Blewett teaches the 
network device of claim 12, as applied above. Chrysanthakopoulos in view of Haviland and 
Blewett additionally teaches the network device wherein the network device is a router 
(Haviland, pages 24-25, routers rla and rib feature management ports). 



21 . Claim 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Chrysanthakopoulos in view of Haviland, further in view of Sylvest et al. (US Pre-Grant 
Publication 2003/0188003) (hereinafter Sylvest) (previously cited). 
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As per claim 6, Chrysanthakopoulos in view of Haviland teaches the method of claim 5, 
as applied above. Neither reference teaches the method, wherein management data packets have 
higher priority than other data packets routed through the network device . 

However, Sylvest teaches management packets having higher priority than the data 
packets (paragraph [0029], a prioritizer assures that user data flow cannot re-empt management 
data flow). 

It would have been obvious for one of ordinary skill in the art at the time of the invention 
to further modify Chrysanthakopoulos in order to provide management packets with higher 
priority than that of data packets, as Sylvest teaches that this may prevent the loss of a 
management packet in the processing of received packets if there are periods of excessive 
incoming data packets (paragraph [0029]). 

22. Claim 9 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Chrysanthakopoulos in view of Haviland, and further in view of Glenn (A Summary of 
DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider 
Environment, 2003). 

As per claim 9, Chrysanthakopoulos teaches a network device comprising: 
a first port defined as a management port (column 5, lines 26-31, predetermined 
management port; Fig. 2, item 222c); 

a second port which defined as a non-management port (Fig. 2, items 222a or 222b); 
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a processing component operable to provide management functions that allow a user to 
modify operation of the network device (column 7, lines 7-13, the device 's controlling processor 
executes the management command); and 

deny access to the management functions for hosts that transmit management data 
packets to the network device through the second port (column 6, lines 65-66, determining the 
receiving ports identification; column 2, lines 50-54, any management commands received from 
devices coupled to the communication bus but not to the management port -coupled to non- 
management port — cannot be authorized, and are ignored). 

Chrysanthakopoulos does not explicitly teach an application specific integrated circuit 
operable to deny access to the management functions for hosts that transmit management data 
packets to the network device through the second port . 

However, Haviland teaches ASICs which handle packet forwarding (page 3). Therefore it 
would have been obvious for one of ordinary skill in the art at the time of the invention to 
provide an ASIC for filtering devices which attempt access to management functions through a 
non-management port. One would have been motivated to do so as Glenn teaches that ASIC 
based ACLs perform better than ACLs in software (page 22). 

23. Claims 10-1 1 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Chrysanthakopoulos in view of Haviland, and further in view of Glenn, and further in view of 
Blewett. 

As per claim 10, Chrysanthakopoulos in view of Haviland and Glen teaches the network 
device of claim 9, as applied above. Chrysanthakopoulos in view of Haviland and Glen 
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additionally teaches the network device wherein the application specific integrated circuit is 
further operable to: 

determine if the data packet utilizes a management protocol (column 6, lines 28-29, 
determining whether received management command); and 

if the data packet utilizes a management protocol, drop the data packet (column 6, lines 
28-29, determining whether received management command; column 2, lines 50-54, any 
management commands received from devices coupled to the communication bus but not to the 
management port -coupled to non-management port — cannot be authorized, and are ignored). 

None of the references explicitly teaches the device wherein the ASIC is operable to 
determine if a data packet received on the second port includes a destination IP address that 
corresponds to a gateway IP address of the first port, prior to determining whether the data 
packet utilizes a management protocol. 

However, Blewett teaches a gateway using a rule table to determine whether to accept or 
drop packets received based upon source/destination port, protocol, and source/destination IP 
addresses (column 10, lines 14-40). It would have been obvious for one of ordinary skill in the 
art at the time of the invention to further modify Chrysanthakopoulos to determine whether the 
destination IP address of a packet received in a second port (non-management port) corresponds 
to the gateway address of a first port (management port), as Blewett teaches utilizing various 
types of packet handling rules to implement a desired security gateway functionality (column 10, 
lines 11-13) (in this case, filtering management commands as taught by Chrysanthakopoulos in 
view of Haviland). 
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As per claim 11, Chrysanthakopoulos in view of Haviland and Glen and Blewett teaches 
the network device of claim 10, as applied above. The references additionally teach the network 
device, wherein the first port is defined to be part of a management virtual local area network 
(Haviland, page 15, column 1, designating a VLANfor management traffic whereby policies can 
be applied with access lists), and wherein only devices that are coupled to the management 
virtual local area network have access to the management functions of the processing component 
(Chrysanthakopoulos, column 5, lines 50-53, an authorized management device can only be a 
device coupled, either directly or indirectly, to a management port of the computer. It would 
have been obvious to define such a "coupling" via a management VLAN, as Haviland (page 15) 
teaches that doing so allows access to management traffic and management ports to be carefully 
controlled). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to VIRGINIA HO whose telephone number is 571-270-7309. The 
examiner can normally be reached on Mon to Thu; 8:30 AM - 5:00 PM (Eastern). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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